Just-in-time permissions need IGA to enforce least privilege

At a glance

What this is: This article explains how just-in-time permissions reduce standing privilege, and why they only enforce least privilege when paired with Identity Governance and Administration.

Why it matters: IAM and NHI teams need both time-bound access and entitlement governance to prevent excessive rights from persisting across users, workloads, and AI agents.

By the numbers:

• The 2025 Verizon Data Breach Investigations Report found stolen credentials were the leading initial access vector in roughly one in five breaches.
• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.

👉 Read Omada Identity's explanation of just-in-time permissions and IGA

Context

Just-in-time permissions are a way to make access expire when the task ends, but they do not solve entitlement sprawl by themselves. The core governance gap is familiar to IAM and NHI teams: privileges accumulate faster than they are reviewed, and workloads or AI agents can inherit rights that outlive their business purpose.

That matters because least privilege is not just about shortening the access window. It is about deciding whether the entitlement should exist, whether it is scoped correctly, and whether there is evidence to prove the decision was controlled. For background on the identity lifecycle issues that make this hard, see the Ultimate Guide to NHIs and its lifecycle guidance.

Key questions

Q: How should security teams implement just-in-time permissions in enterprise IAM?

A: Start with an entitlement inventory, then define policy that limits who can request access, for what business reason, and for how long. JIT works best when IGA supplies approval logic, separation-of-duties checks, and certification evidence. Without that governance layer, you only shorten the life of over-privileged access instead of preventing it.

Q: Why do just-in-time permissions not eliminate standing privilege risk?

A: Because they control duration, not entitlement quality. An over-scoped permission that lasts two hours can still create the same blast radius as a permanent one if the attacker gets it. Standing privilege is reduced only when teams also remove unnecessary rights, govern eligibility, and verify that the access model itself is correct.

Q: What breaks when non-human identities are not governed like human accounts?

A: Service accounts, API keys, tokens, and AI agents can retain access long after the original task ends because they do not naturally pass through joiner-mover-leaver processes. That creates hidden privilege accumulation, weak ownership, and poor revocation discipline. The result is broader attack surface and slower response when access needs to be removed.

Q: What should organisations do first when moving toward least privilege for NHIs?

A: They should start by discovering where non-human identities exist, who owns them, and what privileges they carry. After that, define policy for eligibility, review cadence, and revocation, then use JIT to time-box the permissions that remain necessary. Discovery comes before optimization because you cannot govern what you cannot see.

Technical breakdown

Just-in-time permissions vs just-in-time access

Just-in-time permissions grant specific entitlements inside an application or system for a limited period, then revoke them automatically. They operate at the permission layer, such as roles, group memberships, or application rights. Just-in-time access is different: it governs session-level entry, often through privileged access workflows. The distinction matters because a short session can still carry excessive permissions if the underlying entitlements are broad. In practice, JIT permissions are about reducing entitlement duration, while JIT access is about controlling entry into a privileged context.

Practical implication: Treat JIT permissions as entitlement control, not a substitute for privileged access controls or authorization design.

Why standing privilege persists across human and non-human identities

Standing privilege persists because access is usually granted once and rarely revisited. Human users accumulate rights through role changes and project work. Non-human identities, including service accounts, workloads, and AI agents, often retain access because no joiner-mover-leaver process naturally forces a review. That is where entitlement sprawl becomes a governance problem, not just an operational one. If the underlying access model is never cleaned up, time-bounded permissions only mask the deeper issue. JIT reduces exposure, but it does not correct the original access model.

Practical implication: Inventory and review both human and non-human entitlements before relying on any time-limited access pattern.

How IGA supplies the missing governance layer

Identity Governance and Administration supplies the context JIT cannot infer on its own. It discovers entitlements, defines policy and segregation-of-duties rules, evaluates requests against business context, and produces certification evidence for audit. Without that layer, JIT can expire access quickly but still approve the wrong access. With it, entitlement decisions can be tied to role, sensitivity, and business justification. That is why least privilege becomes enforceable only when governance defines what should exist and JIT controls how long it exists.

Practical implication: Use IGA to decide eligibility and approval rules, then apply JIT to time-box the access that passes policy.

Threat narrative

Attacker objective: The attacker aims to turn a single credential into broad operational reach by exploiting excessive permissions attached to that identity.

1. Entry occurs when stolen credentials or excessive entitlements let an attacker authenticate as a valid identity with broad permissions.
2. Escalation happens when standing privilege gives the attacker more access than the immediate task requires, including systems beyond the original account's intended scope.
3. Impact follows when the attacker uses those entitlements to expand blast radius, move through connected applications, or alter sensitive data and controls.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

JIT without governance is a timing control, not a privilege model. Expiring access quickly reduces exposure, but it does not answer whether the permission should have been granted at all. That distinction is central to NHI governance because service accounts and AI agents can hold access long after a business need ends. Practitioners should treat JIT as a control for duration, not as proof of least privilege.

Standing privilege is the real failure mode, and NHI sprawl makes it worse. Human access reviews already struggle to keep pace with role changes, but NHIs create a larger and less visible entitlement estate. The absence of natural review triggers means permissions can remain active indefinitely unless governance is explicit. Security teams need to govern the entitlement inventory itself, not just the session window.

Ephemeral credential trust debt is the new accumulation risk. Short-lived access looks safer, but if the entitlement model is weak, each temporary grant still carries the same over-scope and segregation-of-duties problems. The debt is not the lifespan of the credential alone. It is the repeated reuse of poorly governed entitlements in automated workflows, cloud systems, and agentic AI.

IGA is becoming the control plane for who is eligible to request access. JIT enforces time bounds, but IGA defines the policy backbone that makes those requests defensible. That means entitlement discovery, approval criteria, certification, and remediation all become preconditions for scalable least privilege. Teams that skip this layer will keep reducing dwell time while leaving blast radius intact.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
• For the lifecycle controls that make access governance sustainable, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs.

What this signals

Entitlement visibility is now the gating factor for least privilege programmes. When teams cannot see service accounts and other NHIs clearly, JIT becomes a narrow control on top of a broad governance blind spot. The operational priority is to make entitlement discovery continuous, then connect that inventory to approval policy and access certification before expanding time-bound access models.

With 70% of organisations granting AI systems more access than they would give a human employee performing the exact same job, per the 2026 Infrastructure Identity Survey, entitlement governance is no longer a human-only discipline. The next control gap is not session duration. It is whether autonomous systems are being granted permissions that match their actual task scope.

Identity blast radius: the practical measure is not how quickly access expires, but how much damage a valid identity can do before revocation. Teams should align this thinking with least privilege guidance in NIST Cybersecurity Framework 2.0 and NIST SP 800-207 Zero Trust Architecture, then use certification and remediation metrics to prove the model is working.

For practitioners

• Inventory all standing entitlements first Map roles, group memberships, app rights, service accounts, and AI agent permissions before introducing JIT. A clean entitlement inventory is the only way to know what should expire and what should be removed entirely.
• Define eligibility rules in IGA Set explicit policy for who can request which access, under what business context, and with which separation-of-duties constraints. Do not let time limits substitute for approval logic.
• Time-box only the access that is already justified Apply JIT to permissions that have a clear task window, then revoke them automatically when the event ends. Use the shortest practical duration and log the business justification for review.
• Certify non-human identities on a fixed cadence Review service accounts, tokens, and automation permissions on a recurring schedule, because no human lifecycle event will force cleanup. Tie certifications to owners and remediation deadlines.
• Link access reviews to audit evidence Retain request context, approver identity, policy decision, and revocation evidence so auditors can trace why access existed. This is especially important for regulated environments and high-risk entitlements.

Key takeaways

• JIT permissions reduce exposure, but IGA determines whether the access was ever appropriate.
• Standing privilege remains the core risk for users, service accounts, and AI agents alike.
• Least privilege becomes operational only when discovery, policy, and revocation work as one control loop.

Key terms

• Just-in-time permissions: A control pattern that grants specific application or system entitlements only for the period they are needed, then removes them automatically. It reduces the time a permission can be abused, but it does not by itself decide whether the permission was justified or correctly scoped in the first place.
• Standing privilege: Access that remains active after the original business need has passed. In identity governance, standing privilege is a persistent risk because it broadens the attack surface, weakens least privilege, and often persists across role changes, projects, and automated accounts unless explicitly reviewed.
• Identity Governance and Administration: The discipline and control set that discovers entitlements, defines access policy, evaluates eligibility, and produces audit evidence. IGA is the layer that turns access decisions into governed, reviewable outcomes instead of one-off approvals that drift over time.
• Non-human identity: A digital identity used by software, automation, or an agent rather than a person. This includes service accounts, API keys, tokens, certificates, workloads, bots, and AI agents, all of which can accumulate privilege and require lifecycle governance just like human accounts.

Deepen your knowledge

JIT permissions, entitlement governance, and least privilege for NHIs are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are trying to make access expiration work in a real enterprise IAM programme, it is worth exploring.

This post draws on content published by Omada Identity: Just-in-Time Permissions Explained: How JIT and IGA Together Enforce Least Privilege. Read the original.